Quvex — Privacy Policy
1. Who we are
Quvex ("the app", "we", "us") is provided by Samuel Ehalaiye, based in New Zealand. Contact us about privacy at support@quvex.app. Quvex has no account and we do not receive your personal data; the only data we have any role in is the device IP address sent when the app loads the partner directory (§4).
2. No account — everything stays on your device
There is no sign-in, no cloud, no sync, and no back-up to any server we run. The information you enter is stored only on your own device; it never leaves your phone and is never sent to us, so we cannot see, store, share, or sell it.
3. What the app stores on your device
- Cycle and period dates, and any spotting entries you log.
- Symptoms, notes, and the profiles you set up (and the per-profile consent you record).
- App preferences: reminders, language, music-taste chips, and the city you optionally set.
This is held in the app's local storage and protected by your device's security. You can delete individual entries or whole profiles, or clear all app data, from within the app; uninstalling also removes it. We hold no copy. We run no server that stores your personal data, so there is no retention period to apply: your information lives only on your device until you delete it or uninstall Quvex, and there is nothing for us to retain or delete on your behalf.
4. Partner directory
To show occasional, labelled local-business suggestions, the app loads a public directory of partner businesses from our hosting provider (Google Firebase / Cloud Firestore). Like any internet request it includes your device's IP address and the app's public project identifier, but no cycle data, symptoms, profiles, city, or account. The request is a single, anonymous, read-only lookup — it is not signed in, carries no profile of you, and is never used for analytics or advertising. (The only other network activity the app starts on its own is a check with Google Play for app updates — Google's own mechanism, which sends us nothing about you; see §7.)
5. Information about another person
Quvex is a companion app, so the cycle information you enter is often about someone else — which is sensitive health information that belongs to them. Because everything stays on your device and we never receive it, you use the app for your own personal/household purposes and we are not a holder or "controller" of that information. You may only add a profile for a person who knows and agrees, and both of you must be 18 or over (§10). If someone asks you to stop and delete their data, do so — it is removed from your device, and we hold no copy.
6. How Quvex stays free
Quvex is completely free: every feature is available to everyone, with no fees, subscriptions, in-app purchases, or ads. The developer currently funds it himself. We do not at present earn any commission from partner businesses. In future we may introduce a small, clearly-disclosed commission when a partner recommendation leads you to visit or buy from them — but placement is always merit-based, never paid, and it would change nothing about your privacy. We do not sell or share your personal information and do not run a data-driven advertising business.
7. Processors, transfers, and legal basis
Our hosting provider, Google Firebase (Cloud Firestore), serves the public partner directory (§4) as our processor; no personal data of yours is sent to it. We include no analytics, advertising, tracking, or crash-reporting components, use no sign-in, and request no location permission. The app also checks Google Play for app updates using Google Play's own update mechanism; this carries no Quvex data about you. Because we never receive your cycle or profile data, there is no server of ours that could be breached to expose it.
The directory request reaches Google's australia-southeast1 (Sydney) region, carrying
your IP address but no other personal data. For EU/EEA/UK users this is a transfer outside the
EEA/UK to a country without an adequacy decision; it is covered by the European Commission's
Standard Contractual Clauses (and UK Addendum) in Google's terms, and Google is certified under the
EU–US Data Privacy Framework for any US processing. Where we rely on a legal basis under the EU/UK
GDPR for this one request, it is our legitimate interest (Art 6(1)(f)) in operating the free
directory. We have weighed that interest against your rights (a legitimate-interests assessment): an
IP address may itself be personal data, but it is transient network metadata, we build no profile and
do not use it to identify or track you, and you initiate the request — so our interest does not
override your privacy. You can object to this processing simply by not using the partner directory.
Your cycle data — special-category health data under GDPR Article 9 — is processed by
you, on your device, for personal/household purposes; we are not its controller. We
are the controller only of that single directory request carrying your IP, and of
nothing else.
8. Data security and breach notification
Your cycle data, symptoms, and profiles are protected by your device's own security and by the app's privacy features (such as a secure screen and neutral notifications). Because everything stays on your device and we keep no central copy, there is no store of ours that could be breached to expose it. In the unlikely event that a breach of the limited request data we do handle (§7) were likely to cause you serious harm, we would notify you and the New Zealand Privacy Commissioner as the Privacy Act 2020 requires.
9. Your rights
Because your information stays on your device, you can view, correct, delete, and export it in the app at any time. Depending on where you live — including under New Zealand's Privacy Act 2020, the EU/UK GDPR, California's CCPA/CPRA, the Washington, Nevada and Connecticut consumer-health laws, Canada's PIPEDA/Quebec Law 25, Brazil's LGPD, and similar laws — you have rights to access, correct, delete, and port your personal data, and to opt out of any sale or sharing. We do not sell or share your data and hold none of it, so these are satisfied on your device. You also have the right to object to the one piece of processing we carry out — the partner-directory request (§7) — which you can exercise simply by not using that feature. We collect no "consumer health data" and no precise location, share none, and do not geofence health facilities, so the United States consumer-health laws have nothing of yours to reach. To make a request, contact support@quvex.app; you may also complain to your local regulator (for example the NZ Privacy Commissioner, the UK ICO, or the Irish Data Protection Commission).
10. Children
Quvex is only for adults aged 18 or over and is not directed to children. You must be 18+ to use it, and you must not enter information about anyone under 18. We do not knowingly collect children's data (we collect no one's), and we are not aware of any minor's data reaching us; if you have a concern, contact support@quvex.app.
11. Law-enforcement requests
Your information exists only on your own device and is not held on any server we control, so we have nothing to disclose in response to a subpoena or other legal request.
12. Changes
If we change this policy we will post the updated version here and update the effective date above. For changes that materially affect your rights or how your data is handled, we will also show an in-app notice the next time you open Quvex, not only post it here. We will not introduce any feature that collects your personal data on a server (such as an account, back-up, or sync) without first updating this policy and obtaining your consent where the law requires it. This policy is written in English; if we provide a translation and it differs, the English version prevails.
13. Contact
Questions or requests: support@quvex.app. See also our Terms of Use.